CN105874767B - Detecting anomalous activity from accounts of online services - Google Patents

Abstract

Anomalous activity is detected using event information received from an account in an online service (110). Typically, abnormal activity is detected by comparing a baseline profile (155) with a latest profile (165), wherein the baseline profile (155) includes past event information for an account of the online service (110) and the latest profile (165) includes latest event information for the account. Abnormal activity is detected when the latest profile (165) shows that one or more events occur more frequently than the occurrence of the event in the associated baseline profile (155). The events recorded and used in anomaly detection may include all or a portion of the events monitored by the online service (110). One or more reports (130) may also be automatically created and provided to one or more users to show activities that may be considered anomalous activities.

Description

Detect the abnormal movement of the account from online service

Background technique

The mode and expected mode that abnormality detection is used to determine when in data mismatch.For example, credit card company can Help to detect fraudulent activity related with the credit card of client to use abnormality detection.Online service can create rule Then, for detecting abnormal movement when network flow is more than predetermined threshold.Detecting abnormal movement associated with online service can It can be challenging and time-consuming.For example, usually related in the presence of the operation with online service that may need to analyze Extremely large number data.Instead of handling in above-mentioned mass data, many online service detection abnormal movements are by true When fixed predefined event occurs on the single or several machine of the online service.For example, the predefined event can respond It is more than some scheduled level in the network flow of online service and occurs, or when a large amount of processes starts in a short period of time Occur.

Summary of the invention

The invention content is provided to introduce the selected works of the concept of reduced form, the concept will be in specific implementation below It is further described in mode.The invention content is not intended to the key feature or substantive characteristics of mark present subject matter, also non-purport For determining the protection scope of present subject matter.

Abnormal movement is detected using the event information that movable account monitors is executed from online service.It is logical Often, abnormal movement is detected by determining when baseline profile and newest profile difference, and wherein baseline profile indicates to be somebody's turn to do " normal " activity of line service, newest profile indicate " current " activity of the account in the online service.For example, when one Event (for example, creation account event) in newest profile more compared to the incidence for creating an account event in baseline profile When continually occurring, abnormal movement can detecte.Detection abnormal movement used in event information, may include by this All events or part of it of line service monitoring.For example, the event for abnormality detection may include: security incident (example Such as, change any event of license, for example, creation account, the license for changing one or more accounts, login the online service or Person publishes the online service ...) all or part of it and other types of event (for example, system event, hardware thing Part, etc.).Authenticated user can configure the event to be monitored, and/or for the thing of one or more event Part can be automatically selected.It may include the complete of the account of the online service to search abnormal movement and monitored account Portion or a part.For example, being to search abnormal movement and monitored account to can be operator account (such as it is other for being licensed The account that user or user group create an account, modifies account and deletes account) or other type of account (for example, user Account, privileged account etc.).In response to detecting abnormal movement, different activities can be executed.For example, some account can be prevented Family executes operation, can lock account, can automatically generate it is one or more report and be supplied to one or more users with Showing may be considered as activity of abnormal movement, etc..Different types of report can be generated.For example, a report can be with Ranking is carried out to account based on the grade of the abnormal movement detected, and another report can be provided in these accounts One or more more detailed informations.

Detailed description of the invention

Fig. 1 shows the general introduction of the system of the abnormal movement for detecting the account from online service；

Fig. 2 shows the more detailed systems of the abnormal movement for detecting the account from online service；

Fig. 3 is shown including detecting the event information used when the abnormal movement of the account in online service and thing The different profiles of part weight；

Fig. 4 shows the exemplary graphical user for watching and configuring event related with abnormality detection；

Fig. 5 shows the detected abnormal movement of one or more accounts in the online service for showing detection Illustrative report；

Fig. 6 is shown for abnormal living in detection online service by the way that baseline profile to be compared to newest profile Dynamic process；

Fig. 7 shows the process for configuring and storing the event information in baseline profile and newest profile；

Fig. 8 shows the exemplary on-line system for detecting abnormal movement；And

Implementation of the invention wherein can be implemented to providing in Fig. 9, Figure 10 A, Figure 10 B and Figure 11 and associated description The discussion of the various operating environments of example.

Specific embodiment

Due to may be loaded into log event it is large number of, online service is usually from the single machine in the service A relatively small subset of the event of loaded log is checked in device (or a small amount of machine), to detect abnormal movement.For example, not It is all to check the event from each of online service machine, but online service selects one or two machine To monitor to search abnormal movement.In addition, online service can also establish hard coded rules to detect abnormal movement.For example, Line service can create rule to identify certain types of abnormal movement.According to an embodiment of the invention, not being that creation is individual Rule detects abnormal movement, but by anomaly detector based on the event monitored and the thing obtained from different calculating equipment Account in part and the online service automatically detects abnormal movement.The account from on-line system monitored can be used Any number of event at family detects abnormal movement, without creating individually rule.Detecting abnormal movement is not by looking into It looks for the scheduled event of generation or situation and determines when that certain types of abnormal movement is occurring, but by that will indicate The event that the frequency of the event of " normal " behavior of the online service and the online service occur during nearest a period of time Frequency be compared.When the frequency of event is different between baseline profile and newest profile, can indicate abnormal living It is dynamic.Then, which is provided to one or more users in the form reported.According to one embodiment, include with The report of the related information of the abnormal movement detected in the online service is delivered.

Various embodiments will be described wherein identical appended drawing reference indicates identical element referring now to attached drawing.

Fig. 1 shows the general introduction of the system of the abnormal movement of the account for detecting online service.As shown, system 100 include online service 110, anomaly detector 26, baseline profile 155, newest profile 165, display 115 and display 125.

Anomaly detector 26 is configured as detecting the abnormal movement that account associated with online service 110 is occurred.It is different Normal activity is the activity deviated with the expected activity of the online service or normal behaviour.For example, in response to online from this For following movable uncommon high amount of request, anomaly detector 26 can detecte abnormal living account in service It is dynamic: creation new account；Change license；Start-up course etc..It is different in order to determine when the abnormal movement of online service 110 occurs Normal detector 26 determines when the frequency of the event in the newest profile 165 of the frequency departure of the event stored in baseline profile 155. For example, baseline profile 155 can indicate during the normal operating of online service 110, in two accounts of creation in typical one day. But in today, newest profile 165 shows that the certain accounts in the online service create ten different accounts.In response to inciting somebody to action Baseline profile 155 is compared with newest profile 165, and determine these frequencies be different, anomaly detector 26 determine Abnormal movement has occurred in line service 110, therefore generates the exception reporting 130 for showing on display 125.

In present exemplary, the display of exception reporting 130 includes the message for the information for showing the abnormal movement (for example, " account Family 1 creates 10 new accounts "), also show normal activity (for example, " create 2 accounts be normal activity).It can be by this report One or more users are supplied to, to show the activity for being considered as abnormal movement.Different reports can be generated.For example, one A report can carry out ranking to account based on abnormal movement, and another report provides the more detailed of one or more accounts Information.

Anomaly detector 26 can be used online service monitor (for example, be loaded into log) event whole or one Point, to detect abnormal movement.It is not only to be supervised to one or two the different event occurred in single calculating equipment It surveys, and determines when to meet scheduled situation, but the arbitrary number in the online service can be used in anomaly detector 26 The event of any number of loading log of the account of amount detects abnormal movement.For example, anomaly detector can be used at this Each of security incident of the loading log occurred in online service (for example, changing any event of license, such as creates account Family, the license for changing one or more accounts etc.), to detect abnormal movement.

According to one embodiment, the user of authorization can detect thing used in abnormal movement with arrangement abnormalities detector 26 Part.In current example, display be used for event configuration 117 graphic user interface (GUI), and its be configured as from Family receives EventSelect and configuration information.For example, user, which can choose online service, is directed to what one or more accounts were monitored The all or part of event.In present example, display 115 shows that authenticated user selected in detection abnormal movement When, using changing license event and increasing account event, without the use of logining event.Further, it is also possible to receive other configurations letter Breath, such as, but not limited to: weighted information；Summarize profile etc. (referring to attached drawing and following relevant discussion).When user does not refer to When configuring surely, anomaly detector 26 uses default algorithm weighting procedure.According to one embodiment, default algorithm weighting procedure is based on The incidence of event in baseline profile distributes higher weight (that is, being more likely to send out to the determining event less occurred It is raw abnormal).

Online service 110 can be service based on cloud and/or the service based on enterprise, be configured to supply such as raw The service of force of labor service (for example, message, cooperation, electrical form, document, presentation, chart etc.) etc.It is provided below about different The more details often detected.

Fig. 2 shows the more detailed systems 200 of the abnormal movement in the account for detecting online service.

As shown, system 200 include using 262, using 272, tablet computing device 260, calculate equipment 270 and online Service 110, wherein online service 110 includes anomaly detector 26, baseline profile 210, newest profile 220, account 230, calculates Equipment 240 and log 250.

As discussed above, anomaly detector 26 be configured as by using monitoring from account 230 (its with Line service 110 is associated) event information, to detect abnormal movement.For example, in online service for search abnormal movement and by The account of monitoring can be operator account, and it is that other users or user group create an account, modify account that this account, which has license, With deletion account.In addition it is also possible to monitor abnormal movement to other accounts (for example, user account).

According to one embodiment, anomaly detector 26 passes through the frequency for the past event being included in baseline profile 210 It is compared with the frequency for including up-to-date event in newest profile 220, to detect abnormal movement.Profile is (for example, baseline is simple Shelves perhaps newest profile) include the event information for the single account of online service or may include from the online service All accounts or a part of account event information obtained summarized.When the up-to-date event information of an account show with The incidence of the event recorded in baseline profile is compared, and when one or more events more frequently occur, anomaly detector 26 can To detect abnormal movement.

Various methods can be used in anomaly detector 26, to determine when that abnormal movement has occurred in online service 210. According to one embodiment, anomaly detector 26 is directed to each account associated with profile or account's group, creates a frequency Rate profile.Anomaly detector 26 will be used for the frequency profile of event associated with baseline profile, be used for and newest profile phase The frequency profile of associated event is compared.For example, when frequency profile associated with newest profile indicates " with baseline profile Compared during indicated " normal " operation, one or more events more frequently occur " when, then detect abnormal movement.

According to one embodiment, for each of profile event is included in, to determine frequency.For example, for the ease of It for the sake of explanation rather than is intended for limiting, it is assumed that four different events of monitoring.Baseline profile shows event 1 and occupies these The 10% of event, event 2 occupy the 25% of whole events, and event 3 occupies the 50% of these events, and event 4 occupies these events 15%.Newest profile is shown: event 1 occupies the 20% of these events, and event 2 occupies the 15% of whole events, and event 3 occupies The 50% of these events, event 4 occupy the 15% of these events.It is different in response to baseline profile to be compared with newest profile Normal detector 26 detects the activity of being abnormal, this is because compared with baseline profile, in newest profile, the frequency of event 1 It is bigger.Other methods of the abnormal movement of the account in detection online service can be used.It is, for example, possible to use other statistics sides Method, such as: the number that each event occurs in predetermined period of time is compared, the frequency of some events is carried out Summarize, and the frequency after summarizing is compared；Or use some other statistical method.

According to one embodiment, different weights can be distributed to different events, so that: the tool in account monitored There is the increase of the incidence of bigger weight event, before the incidence increase for the event not weighted significantly, would indicate that different Often activity.According to one embodiment, bigger weight can be automatically or manually distributed to the event of less frequent generation, So that the increase of the incidence of the event indicates abnormal movement more quickly.For example, can will be stepped on compared with creating account event Incoming event is set as lower weight, this is because logining event is usually the common event in online service.Can automatically and/ Or manually distribute these weights.

After anomaly detector 26 detects abnormal movement, different movements can be executed.For example, can automatically create One or more reports (for example, exception reporting 265) are built and delivered, one or more accounts can be locked, so that future activity Stop, certain movements generation etc. in online service can be prevented.Report can be generated, and provide it to one or more User, to show the activity for being considered as abnormal movement.Different reports can be generated.For example, exception reporting 265 can be based on Abnormal movement detected to carry out account ranking, and another report provides the more detailed information of one or more accounts (referring to fig. 4 with relevant discussion).

Baseline profile 210 includes one or more baseline profiles, and wherein these baseline profiles include and online service 110 " normal " or " typical case " operates related event information.Each baseline profile 210 these baseline profiles 210 each In include event information (for example, one week, two weeks, January, two months etc.) for one section of predetermined time of the online service.It can With according to scheduled scheduling (for example, daily, weekly etc.) or using some other method (for example, in request), to base Line profile 210 is updated.According to one embodiment, authenticated user can be only fitted to the event letter for including in baseline profile Breath, the time cycle of event information for including in baseline profile and scheduling is updated.For example, authenticated user can One or more different types of accounts of the online service are stored in upper one month event information with Configuration baseline profile, and It is updated daily.

Newest profile 220 includes one or more newest profiles, and wherein these newest profiles include and online service 110 The related event information of the event occurred within newest a period of time.For example, newest profile may include: the service at upper one day Within, caused by the activity that occurred within upper several hours of the online service for the event information of one or more accounts Etc..In general, the event information for including in newest profile is newest compared with the event information for including in baseline profile 210 Event information.The up-to-date event information can be used to update baseline profile.For example, can be other with every day or according to some Time cycle updates baseline profile using up-to-date event information.With this mode, baseline profile may include: online service 110 In account caused by event a receding horizon (for example, upper January, upper two month, upper March etc.) in event Information.

Log 250 is configured as event information caused by one or more accounts of storage online service 110.According to one A embodiment, log 250 store the record of event (it includes account's security incident generated in online service).For example, Log 250 includes: the one or more accounts occurred in one or more calculating equipment 240 associated with online service 110 The log in/log out activity generated of family 230 and other and security-related event record.According to one embodiment, in log The daily record data stored in 250, comprising: information specified by the audit strategy of system.In general, authenticated user can configure this System records different event and different types of event in log 250.

When detecting the abnormal movement in online service, the event of many types can be loaded into log by anomaly detector And it uses.Some Exemplary types of the event of log can be loaded into, comprising: account's log-in events, account management event, catalogue Service access event, object accesses event, tactful change, privileged operation, system event etc..For example, creating, visiting each time When asking, change or delete an object, event can be generated and the event is loaded into log.It can be with when detecting abnormal movement It is loaded into the list of log and the more detailed event used, can be found in the discussion of Fig. 8.

Fig. 3 show for detect the event information of event used when the abnormal movement of the account in online service and The different profiles of weighting.

As discussed herein, each profile include for event that is monitored and/or being loaded into log whole or The event information of a part, wherein these events are derived from the account of online service.Following profile is only shown for example Property purpose, rather than it is restrictive.Although each shown profile shows four kinds of different events, can be in profile In include more or less event.For example, a profile may include hundreds of or thousands of kinds of different types of events.

What profile 310 showed multiple accounts for the online service summarizes baseline profile.For example, profile 310 can be with Including the event information that generates from a variety of different types of accounts being located in online service or its may include certain kinds The all or part of the account of type.According to one embodiment, creation includes each operator account's of online service Summarize profile.As discussed above, term " operator account " reference be licensed created an account for other users or user group, It modifies account and deletes the account of account.It can also include the other types of account (for example, user account) in online service.

In present example, profile 310 includes for four kinds of different events (event 1, event 2, event 3 and event 4) Event information.It though it is shown that four kinds of events, but may include less event or more events to detect abnormal movement. For example, all or part that these events may include security incident (is directed to the more detailed of security incident referring in Fig. 8 The discussion of list) and any other event (for example, machine movement, user action etc.) that can monitor of online service.Letter Each event for including in shelves includes different event information.The event information may include such as following information: event Type；The time of generation event；Any account generates the event；Result of the event etc..For example, event can be with It is that account 2 in the process that morning 11:06 starts starts event, specific process is caused to be activated.According to another embodiment, The profile may include: each monitored event within specified a period of time (for example, within one day, one week etc. Deng) occur number.

Shown percentage, shows these things under the event information in profile 310 and profile 340 and 370 The percentage that each of part event occurs.Current in the example for summarizing profile 310, event 1 20% when Between occur, event 2 5% time occur, event 3 50% time occur, event 4 25% time occur.It is logical Often, the common event that the event more frequently occurred usually such as logs on to service, publishes the service etc..

As described above, each event can be with other events (wherein, when detecting any abnormal movement, to these its Its event is monitored and uses) weight same or differently.For example, identical value can be weighted to each event (for example, 1), or be weighted using some other standard.According to one embodiment, which is based on being somebody's turn to do in profile The frequency of event.For example, compared with the event more frequently occurred, can weight for the event for less frequently occurring into Row larger weights.Compared with the common event for such as logining event or Logout Events etc, usually infrequently occur Event (for example, creating an account) can be considered as showing abnormal movement to a greater degree.According to one embodiment, by by highest The percentage of frequency event divided by each of profile event generation percentage, to automatically determine for each The relative weighting of a event.In the present example shown by profile 310, the weighting automatically determined be will lead to: be used for event 3 Weight compare, 1 higher 2.5 times of weight, and compared with for the weight of event 3,2 higher 10 times of weight, and be used for event 3 Weight compare, 4 higher 2 times of weight.Other methods of weighting can be used.For example, each weight can be based on event Type and/or each weight can manually be configured by authenticated user (referring to fig. 4 for matching to weight The exemplary graphical user set).These weights can manually or automatically be configured.

Baseline profile 340 is the exemplary baseline profile of the single account for online service.According to one embodiment, often One account includes baseline profile, is used to determine " normal " behavior of account.In present example, baseline profile 340 is wrapped Include event information identical with baseline profile 310 is summarized.But compared with summarizing baseline profile 310, the thing of baseline profile 340 The frequency of the generation of part can be different.As shown, the generation percentage of event 1 and event 3 is identical, but event 2 It is different with the percentage of event 4.Compared with the generation of the event 2 in baseline profile 310, in baseline profile 340, event 2 generation percentage is bigger (10% comparison 5%).Compared with the generation of the event 4 in baseline profile 310, in baseline profile In 340, the generation percentage of event 4 is smaller (20% comparison 25%).As discussed herein, it can be used and single account Related baseline profile summarizes baseline profile to detect abnormal movement, and/or using one or more to detect abnormal movement.? Under some cases, newly created account does not have the baseline profile established.In such a case it is possible to which newly created account will be used for Newest profile from summarize profile or different accounts is compared, to detect abnormal movement.

Newest profile 370 is to be directed to the exemplary newest profile of the single account of online service.Newest profile can be with needle Summarizing for single account and/or account is created.In present example, newest profile 370 includes and summarizes baseline profile 310 identical event informations.Compared with summarizing baseline profile 310 and baseline profile 370, these events of newest profile 370 Incidence be different.Newest profile 370 is compared with any one in baseline profile (310,340), instruction should Account is abnormal activity.For example, the generation percentage of the event 2 in newest profile, compared with indicated by baseline profile 340 It is 2 times big, is 4 times big compared with summarizing indicated by baseline profile 310.

Fig. 4 shows the exemplary graphical user (GUI) for watching and configuring event related with abnormality detection. GUI shown in Fig. 4 is only intended to illustration purpose, rather than restrictive.

The first shown GUI is that event configuration 410 shows that it illustrates for selecting and configuring the thing to be monitored Part, to carry out the exemplary GUI of the abnormality detection of online service.Event 415 is partially illustrated can choose and is monitored Different types of event.Though it is shown that four kinds of event, but can also show many other event.According to one Embodiment can choose the type of each event and event that online service to be monitored, to use in abnormality detection. In present example, the event shown in event configuration 410 includes: account's log-in events, account management event, right As Access Events and tactful change event.As shown, user 430 selects account management event.

In response to receiving the selection of event (for example, account management event), show included in the event Each event more detailed view.In present example, account management event 420 is shown in selected account management The different event for including in event.According to one embodiment, user can choose or cancel the selected event of selection Individual case in type, to be included in abnormality detection.For example, user can choose account management event, then from Cancel a pair of of event in event used in abnormality detection.

Display 440 shows the exemplary display including event selector 442, and showing in abnormality detection can be with The list for the different event for configuring and using.In present example, user 450 has selected event 2.In response to having selected event 2, Show the more detailed view 460 of configuration.In present example, event 2 is shown as to be arranged to "ON", is indicated to thing Part 2 is monitored to carry out abnormality detection.In addition, user can also carry out close event by selecting ON/OFF user interface section 2.In addition, being provided with weight " 0.3 " also directed to event 2.According to one embodiment, authenticated user can configure different event Weighting, so that the event of Xiang Butong gives more weights when detecting abnormal movement.The default power for event can be set Weight.According to one embodiment, it sets the default weight for being used for each event to the frequency with the event in baseline profile Just it is inversely proportional.For example, the weight of its 1/.1=10 can be given if frequency of the event 1 in baseline profile is 10%. If frequency of the event 1 in baseline profile is 50%, the weight of its 1/.5=2 can be given.In addition, the specific calculating side Method is also possible to configurable.For example, weight can be square of frequency inverse, it is also possible to related other meters with the inverse Calculation value.

Fig. 5 shows the exemplary report of the abnormal movement of one or more accounts in the online service for showing detection It accuses.

Display 510 shows the illustrative report for being used to indicate the possibility abnormal movement of different accounts.Exception reporting 512 is It is shown as illustrative purpose, rather than it is restrictive.Can create and show many other types for showing exception Movable report.As shown, report 512 can be according to the abnormal movement from the abnormal movement of highest detection to lowest detection Sequentially, it is listed as searching a part of abnormal movement and monitored account.Exception reporting 512 show detect it is abnormal living Dynamic account.For example, carrying out normal operating and not detecting the account of abnormal movement, do not show in exception reporting Out.According to one embodiment, any account that value is greater than some predefined numerical value (threshold value) has potential abnormal movement.Root According to one embodiment, the value for being greater than the predefined numerical value (threshold value) is indicated: compared with the occurrence frequency for including in baseline profile, At least one event monitored currently more frequently occurs.In present example, user can choose shown account In one, to obtain the more information of the abnormal movement about the detection.As shown, user 520 is from exception reporting 512 Account 10 is selected to obtain the more detailed view of this account, as shown in display 540.

Display 540 is shown can be for the account for detecting abnormal movement, the example of the more detailed information shown. As shown, more detailed information shows the event of instruction abnormal movement and the baseline profile for these events.Aobvious Show in 540, two monitored different event is shown with abnormal movement.In present example, and normal feelings are regarded as Shape is compared, and five times (0.5 comparison 0.1) occurs for event 2.Compared with normal event occurs, event 3 usually occurs (0.2 pair twice Than 0.1).

Fig. 6 and Fig. 7 shows for using the account information from online service the process carried out abnormality detection.Work as reading When taking the discussion of routine given in this article, it should be appreciated that the logical operation of each embodiment is implemented as: (1) calculating The sequence of the computer implemented movement or program module that run in system, and/or the machine that (2) interconnect in computing systems are patrolled Collect circuit or circuit module.Implementation is selected dependent on the performance requirement for realizing computing system of the invention.Therefore, shown Out and the logical operation that constitutes embodiment described herein, differently refer into operation, structural devices, movement or mould Block.Can use software, firmware, specific use Digital Logic, with and combinations thereof realize these operations, structural devices, dynamic Work and module.Although these operations are shown in a particular order, according to implementation, thus it is possible to vary these operations it is suitable Sequence is performed in parallel these operations.

Fig. 6 is shown for by the way that baseline profile to be compared with newest profile, the exception detected in online service to be living Dynamic process 600.

After a start operation, which is moved to operation 610, accesses one or more baseline profiles in the case. The baseline profile can be the baseline profile for single account, and being also possible to the baseline profile summarized, (it includes coming to be somebody's turn to do The event information of more than one account of line service).It is wanted for example, each of online service tenant (tenant) can be directed to Each account of abnormal movement is monitored, all there is individual baseline profile.As described above, the baseline profile include from one or Multiple accounts generate, and indicate the event information of " normal " operation of account or some accounts.According to one embodiment, these Profile includes the related event information of security incident associated with one or more accounts of the online service.The event information It can be configured by authenticated user, and/or be automatically selected based on the monitored event of the on-line system.For example, Line service can automatically select all or part of monitored event or log event in the online service.

It circulates to operation 620, accesses newest profile.The newest profile includes the event letter obtained from newest a period of time Breath.Newest a period of time may include such as, but not limited to upper one hour, upper two hours, upper three hours, upper four small When, upper eight hours, one day etc. time cycle.According to one embodiment, newest profile includes coming upper six hours From the event information of one or more accounts.Newest profile may include the single account and/or the online clothes of the online service The account's of business summarizes.

It is transitioned into operation 630, baseline profile is compared with newest profile, it is living with the exception for detecting the online service It is dynamic.Different methods can be used, to execute newest profile compared with baseline profile.According to one embodiment, this compares packet It includes: determining between baseline profile and newest profile, when the frequency of one or more of event monitored is different 's.According to one embodiment, the significance level of the generation of event is adjusted using weighted factor.For example, being opened with an account The increase of quantity (it is the event with smaller weight) of form compare, can be by the quantity of the account of an account creation The instruction of abnormal movement is more regarded as in the increase of (it is the event with bigger weight).

It is moved to operation 640, movement can be executed based on abnormal movement detected.It can occur one or more dynamic Make.These movements executed are related to notifying detected abnormal movement to one or more users, and/or attempt to stop or The detected abnormal movement of limitation.For example, can create and deliver one or more reports (operation 650), it can be to one Or multiple accounts lock, so that stopping the following abnormal movement from one or more of accounts, can prevent one Or certain movements etc. occur for multiple accounts.

It circulates to operation 650, reports detected abnormal movement.In the presence of can be used for reporting abnormal movement it is a variety of not Same method.The final report of ranking is carried out to each account for example, can create according to detected abnormal movement, And it is delivered.These accounts are arranged according to the degree for being directed to account's abnormal movement detected according to one embodiment Name.Further, it is also possible to the more detailed report for each account be created, to be delivered and/or be watched.Implemented according to one Example, by selecting account in the final report of abnormal movement, to access more detailed report.

Then, process circulation is to end operation, and returns to handle other movements.

Fig. 7 shows the process 700 for configuring and storing the event information in baseline profile and newest profile.

After a start operation, process goes to operation 710, determines the event that monitor and use in abnormality detection.It can Automatically and/or manually to execute the determination.For example, not selecting each to be monitored event not instead of manually, examining When surveying abnormal movement, each event for currently monitoring and being loaded into log can be used.It gives one example again, be authorized use Family can choose the event to be monitored.The selection can substitute the event being being currently used in abnormality detection, or In addition to these events, the event of the selection is also used.According to one embodiment, it is shown that authenticated user is allowed to select different The GUI for the event that often monitor and use in detection.

It circulates to operation 720, configures the event for the abnormality detection for being used for the online service for determining.The configuration It may include manual configuration and automatically configure.For example, weight can be set in authenticated user, to carry out from different events Association.The weight of the event will be used for based on the time percentage that the event being monitored occurs according to one embodiment It is automatically set to different values.In this example embodiment, compared with the event usually less frequently occurred in online service, more frequently The event of generation is considered as not too important when detecting abnormal movement.For example, the event for creating account can compared with logining event To be given bigger weight.

It is transitioned into operation 730, configuration information is stored.The configuration information can be stored in one or more positions It sets.For example, the configuration information can be stored in the data-storing of online service, and/or it is stored in the outer of the online service In portion's data-storing.

It circulates to operation 740, obtains the event information of the different accounts from online service.According to one embodiment, from It records in the log of event information and obtains the event information, wherein different accounts are related to the online service for the event information Connection.The event information can automatically or manually be obtained.For example, can each hour, every two hours, it is six hours every, every It etc., to obtain the event information.Different accounts and different types of account can be monitored different to search Event.According to one embodiment, the operator account of online service is monitored, and the data from the monitoring are online Service is loaded into log.Further, it is also possible to be monitored to other types of account.For example, authenticated user can be configured to this The event of each account of online service is monitored, or the account of selection a subset is monitored.The event information It may include different types of information.For example, the event information may include such as, but not limited to following information: the class of event Type, the time of event generation, the result of the event etc..

It is transitioned into operation 750, updates profile using the event information.Can use the event information update one or Multiple profiles (for example, baseline profile and newest profile).Base according to one embodiment, to each account being monitored Line profile and newest profile are updated.Summarize baseline profile in addition, additionally providing and summarize newest profile.These summarize profile Including event information caused by more than one account.According to one embodiment, it includes online for this that these, which summarize profile, The account information of each account of the tenant (tenant) of service.For example, each serviced for online service is different Client maintains individually to summarize profile.As discussed, these different profiles can be used to detect the different of the online service Often activity.

Then, process circulation is to end operation, and returns, to handle other movements.

Fig. 8 shows the exemplary on-line system including abnormality detection.As shown, system 1000 include service 1010, Data-storing 1045 and touch-screen input device 1050 (for example, slate), smart phone 1030 and display apparatus 1080.

As shown, service 1010 be can be configured as offer such as productivity service (for example, electrical form, document, Presentation, chart, message etc.) etc service service based on cloud and/or based on enterprise.It can be used different types of Input/output is interacted with the service.For example, voice input, touch input, hardware based input can be used in user Etc..The function of one or more of service/application provided by service 1010 may be configured to based on client/clothes The application of business device.

As shown, service 1010 is multi-tenant (tenant) service, to any number of tenant (tenant) (example Such as, Tenant 1-N) resource 1015 and service are provided.Multi-tenant (tenant) service 1010 is service based on cloud, to pre- The tenant (tenant) for ordering the service provides resources/services 1015, maintains individual data for each tenant (tenant), And it carries out separating protection with other tenants (tenant) data.

System 1000 as shown in the figure includes touch-screen input device 1050 (for example, slate/ tablet device) and intelligence Phone 1030 is used to detect when to receive touch input (for example, finger touches or almost touch the touch screen).It can be with Use any kind of touch screen of the touch input of detection user.For example, touch screen may include for detecting touch input One or more layers capacitance-type material.Other than capacitance-type material or capacitance-type material is substituted, other biographies can be used Sensor.It is, for example, possible to use infrared ray (IR) sensors.According to one embodiment, touch screen be configured as detection with it is tangible The object or the object on tangible surface of surface contact.Although in this description using term " on ", but it should Understand, the orientation of the touch panel system is unrelated.Term " on " it is intended to be applicable to all these orientation.The touch Screen can be configured as the position (for example, starting point, intermediate point and end point) for determining and receiving touch input.It can be by appointing What mode appropriate (such as comprising it is coupled to the vibrating sensor or microphone of touch panel), to detect tangible surface Practical contact between object.For detecting the non-exhaustive listing of the example of the sensor of contact, comprising: based on pressure Device, the accelerometer of micro-machine, piezoelectric device, capacitance type sensor, resistance sensor and inductance type transducer.

According to one embodiment, smart phone 1030, touch-screen input device 1050 and equipment 1080 include application (1031、1051、1081)。

As shown, touch-screen input device 1050, smart phone 1030 and the display of display apparatus 1080 are for showing The exemplary interfaces 1052/1032/1082 of application used, and interface related with abnormality detection.Data can store In equipment (for example, smart phone 1030, slate 1050) and/or some other positions is stored in (for example, network data is deposited Storage is 1045).Data-storing 1045 (or some other storage) can be used and come storing data collection, event information, baseline letter Shelves, newest profile and other data.The application that these equipment use can be client-based application, based on server Using with it is based on cloud application and/or certain combination.According to one embodiment, display apparatus 1080 is such as coupling display The equipment of the MICROSOFT XBOX of device etc.

Anomaly detector 26 is configured as executing operation related with detection abnormal movement, as described herein.Although Anomaly detector 26 is shown located among service 1010, but the function of anomaly detector also may include in other positions (e.g., including on smart phone 1030 and/or slate equipment 1050 and/or equipment 1080).

Can be monitored in baseline profile and newest profile and including some exemplary events, including but not limited to: behaviour Make system starting；Operating system is closed；Local security mechanism (Local Security Authority) is loaded with certification packet；By Login process is trusted about local security institute registration；The internal resource for audit message queue distribution has been exhausted, has led to one The loss audited a bit；Security Account Manager is loaded with notice packet；The invalid use of port；Change system time；Monitoring Security incident mode has occurred；Administrator's recovery system from CrashOnAuditFail；Local security mechanism is loaded with safety Packet；Account successfully logs in；Account fails to log in；User/equipment advocates information；Account cancellation；User initiates to nullify；Using explicit Certificate carrys out logon attempt；Detect replay attack；Request the handle of an object；Modify registered value；Close the sentence of an object Handle；The handle of an object is requested with the intention of deletion；Delete an object；Request the handle of an object；About one Object executes operation；Access the trial of an object；Create the trial of hard link；It carries out in creation applications client Trial hereafter；An operation is attempted in one application；Delete an applications client context；Initialize an application；Change License about an object；The ordinal number of access block is attempted in one application；Special privilege is distributed to new login；Call privilege Service；Franchise object is attempted to operate；Secure identifier (SID) is filtered；Create new process；Exit one into Journey；Attempt the handle of one object of duplication；Request the dereference of an object；It attempts Backup Data and protects master key；It attempts Restore data protection master key；It attempts to protect the protected data that can audit；Attempt can audit protected data solution protection；Xiang Jin Journey distributes main token；Installation service in systems；Creation is deleted, is enabled, the task that disabling or update are scheduled；Distribution or Delete user right；Delete user right；Creation is directed to the new trust in a domain；Delete the trust for being directed to a domain；Change Kerberos strategy；Change the data recovery policy of encryption；Change the audit strategy about an object；Modify trusted domain letter Breath；Deletion system has secure access to an account authorization system secure access or from an account；Change system audit plan Slightly；Creation changes or enables user account；Attempt the password of change or resetting account；Trial resets account password；Prohibit With or delete user account；Delete user account；Creation changes or deletes the global group for enabling safety；To enabling safety Global group increases member, or the removing members from the global group for enabling safety；Delete, change or create the local for enabling safety Group；Increase member, or the removing members from local group of enabling safety to the local group of enabling safety；Change domain policy；Lock Determine user account；Creation changes or deletes computer account；Creation or change disable local group of safety；Pacify to disabling Complete local group increases member, or the removing members from local group of disabling safety；It deletes, creation or change disable safety Local group；Increase member, or the removing members from the global group of disabling safety to the global group of disabling safety；Delete disabling The global group of safety；Creation changes the common group for enabling safety；Increase member to the common group for enabling safety, or from opening With removing members in the common group of safety；Creation changes or deletes the common group for enabling safety；Increase to the common group of disabling safety Addition person, or the removing members from the common group of disabling safety；Delete the common group of disabling safety；Change set type；Xiang Yi A account increases SID history；It attempts to increase SID history to the account of failure；Unlock user account；Request kerberos authentication ticket According to；Request or regeneration Kerberos service ticket；The failure of Kerberos pre-authentication；The failure of kerberos authentication ticket requests； The request failure of Kerberos service ticket；An account is mapped to log in；One account not can be carried out mapping and log in；Domain control Device attempts the certificate of one account of verifying；Domain controller verifies the certificate failure of an account；Reconnect or disconnect one Session；Accesses control list is set on the account as the member of group of administrators；Change the title of account；Access the close of account Code Hash；Creation changes or deletes and applies group substantially；To basic application group increase member or from substantially using deleted in group at Member；Using group increase non-member or from substantially using deleting non-member in group to basic；Lightweight directory is deleted in creation Access protocol (LDAP) inquiry group；Call the Password Policy for checking API；It is close to attempt setting directory service reforestation practices administrator Code；Attempt the existence of the blank password of one account of inquiry；RPC detects that integrality violates, while carrying out to input message Decryption；Change and is arranged about the audit of object；It is identical that the central access strategy of proposal does not authorize Current central access strategy Access permission；Change the central access strategy about machine；Detect namespace conflicts；Increase, delete or modify by Trust forest information；Certificate manager refuses pending certificate request；Cert services receive the certificate request resubmited；Certificate Service revocation certificate；Cert services receive the request of publication Certificate Revocation Lists (CRL)；Cert services issue certificate revocation column Table (CRL)；Certificate request extension changes；One or more certificate request attributes change；Cert services receive the request of closing； Cert services backup starting is completed；Cert services are restored starting or are completed, and cert services start or stop；For certificate The security clearance of service changes；Cert services obtain filing key；Cert services input certificate to its database；It is taken for certificate The audit filter of business changes；Cert services receive certificate request；The request of cert services certificate of approval and sending certificate；Certificate Service-denial certificate request；Cert services set pending for the state of certificate request；Certificate manager for cert services Setting changes；Configuration entry in cert services changes；The attribute of cert services changes；Cert services file key； Cert services input and file key；Cert services issue CA certificate to Active Directory Domain Services；It is deleted from certificate database Except a line or multirow；Role is enabled to separate；Cert services load template；Update cert services template；Update cert services template Safety；Create every user's audit strategy table；Attempt registration security event source；It attempts to nullify security event source； CrashOnAuditFail value changes；Audit about object, which is arranged, to be changed；Modify specific group log form；For trust platform The local policy of infrastructure service (TBS), which is arranged, to be changed；Group policy for TBS, which is arranged, to be changed；The Resource Properties of object change；Often User, which audits to be arranged, to be changed；Central access strategy about object changes；It establishes, deletion or modification activity catalogue copy source are ordered Name context；Modification activity catalogue replicates purpose naming context；Beginning or the duplication of ending activity catalogue naming context Synchronization；Replicate the attribute of Active Directory Object；Duplication unsuccessfully starts or terminates；It is deleted from duplicate and delays object；When When firewall starts, strategy below is movable；When firewall starting, a kind of rule is listed；It makes an exception and arranges for firewall Table is changed, for example, adding, modifying or deleting rule；Firewall setting is reverted into default value；Firewall setting occurs Change；Ignore certain rule since firewall does not have the major version number of recognition rule；Since firewall does not interpret certain rule Then ignore the rule；The setting of firewall group policy changes；Firewall changes active profile；Firewall is not applied down The rule in face；Since the item of following rule invocation does not configure on that computer, and firewall does not apply the rule；It will Specific group is allocated to new login；Start the Internet protocol security (IPSec) service；Have disabled IPSec；IPSec service is met To potential serious failure；Establish ipsec main-mode security association；Establish ipsec main-mode security association；IPSec master Mode negotiation failure；Ipsec main-mode protocol negotiation failure；IPSec quick mode negotiates failure；IPSec holotype is closed safely It is coupled beam；IPSec, which has been abandoned, is grouped entering for integrity checking failure；IPSec has abandoned the entrance for making replay check failure Grouping；IPSec, which has been abandoned, should make safe entrance empty text packets；IPSec is received from remote computing device to be had not The grouping of correct Security Parameter Index (SPI)；During holotype is negotiated, IPSec receives invalid negotiation packets；In Fast Modular During formula is negotiated, IPSec receives invalid negotiation packets；During mode of extension is negotiated, IPSec receives invalid negotiation Grouping；Establish ipsec main-mode and mode of extension security association；IPSec mode of extension negotiates failure, and the state of process It changes.

Further, it is also possible to be monitored to customization event.According to one embodiment, no matter when online service detects this The customization event of any user of online service, journal file just record these customization events.

Embodiment described herein and function can be operated via diversified computing system, these computing systems Including but not limited to: desk side computer system, wired and wireless computing system, mobile computing system (for example, mobile phone, on Net this, plate or slate type computer, notebook computer and laptop computer), hand-held type device, multiprocessor system System, the electronics based on microprocessor or programmable consumer electronics, microcomputer and mainframe computer.

In addition, embodiment described herein and function can be in distributed system (for example, computing systems based on cloud) Upper operation, wherein in this case, application function, memory, data storage and acquisition and various processing functions are in distribution It calculates on network (for example, internet or Intranet), is operated with being remotely located from each other.It can be aobvious via equipment is calculated on plate Show device or calculate the associated remote display unit of equipment via with one or more, to show various types of user interfaces And information.For example, can be shown various types of on the wall surface that various types of user interfaces and information are projected to User interface and information simultaneously interact.The interaction that the embodiment of the present invention can be carried out with diversified computing system, packet Include: keyboard input, touch screen input, voice or other audio inputs, gesture input are (when associated calculating equipment equipment is useful In capturing and explain user gesture, when detection (for example, camera) function to control the function of the calculating equipment) etc..

Fig. 9-11 and associated description provide begging for for the various operating environments that the embodiment of the present invention can be implemented By.But the equipment and system described referring to Fig. 9-11 and discussed are only intended to citing and illustration purpose, rather than limiting can With the calculating device configuration of numerous quantity for implementing embodiments of the invention described herein.

Fig. 9 is the frame for showing the physical assemblies (that is, hardware) for the calculating equipment 1100 that the embodiment of the present invention can be implemented Figure.Calculating apparatus assembly disclosed below may adapt to calculating equipment described above.In basic configuration, calculating is set Standby 1100 may include at least one processing unit 1102 and system storage 1104.Depending on calculating the configuration and class of equipment Type, system storage 1104 can include but is not limited to: volatile storage devices (for example, random access memory), non-volatile Property storage equipment (for example, read-only memory), any combination of flash memory or these memories.System storage 1104 can be with Including being suitable for runs software using the operating system 1105 of 1120 (for example, anomaly detectors 26) and one or more programs Module 1106.For example, operating system 1105 may adapt to the operation that control calculates equipment 1100.In addition, implementation of the invention Example can be realized in conjunction with shape library, other operating systems or any other application program, and be not limited to any specific Using or system.In Fig. 9, component shows the basic configuration those of in 1108 by a dotted line.Calculating equipment 1100 can be with With other feature or function.For example, calculate equipment 1100 can also include other data storage device (it is removable and/ Or irremovable), for example, disk, CD or tape.In Fig. 9, pass through movable memory equipment 1109 and irremovable storage Equipment 1110 shows this other storage equipment.

As described above, can store multiple program modules and data file in system storage 1104.When in processing unit When executing on 1102, program module 1106 (for example, anomaly detector 26) can be with implementation procedure, institute including but not limited in attached drawing One or more of stage of method and process shown.The other program moulds that can be used with embodiment according to the present invention Block may include that Email and contact application, text processing application, spreadsheet application, database application, lantern slide are answered With, draw or computer-assisted application program etc..

In addition, the embodiment of the present invention can include discrete electronic component, the encapsulation comprising logic gate or integrated electronic It is realized in chip, the electronic circuit using the circuit of microprocessor, or in the single core comprising electronic component or microprocessor On piece is realized.For example, the embodiment of the present invention can be via system on chip (SOC) Lai Shixian, wherein group shown in Fig. 9 Each of part is much desirably integrated on single IC for both.This SOC device may include one or more places Unit, graphic element, communication unit, system virtualization unit and various application functions are managed, it is all these all as single integrated Circuit integrates (or " firing ") to chip base.When via SOC to operate, retouched herein in regard to anomaly detector 26 The function of stating, can be dedicated on single IC for both (chip) via being integrated in together with the other components for calculating equipment 1100 Logic circuit operates.It is such as grasped with or with non-etc logic in addition, the embodiment of the present invention can also use to be able to carry out Other technologies (its include but is not limited to: machinery, light, the fluid and quantum techniques) Lai Shixian made.In addition, the embodiment of the present invention It can realize, can also be realized in any other circuit or system in general purpose computer.

Such as keyboard, mouse, pen, audio input device, touch input device etc. can also be had by calculating equipment 1100 Etc one or more input equipments 1112.In addition, it can include such as display, loudspeaker, printer etc. Output equipment 1114.Equipment above-mentioned is some examples, and other equipment can be used.Calculating equipment 1100 may include permitting Perhaps the one or more communication connections 1116 communicated with other calculating equipment 1118.The example of communication connection 1116 appropriate Son includes but is not limited to: RF transmitter, receiver and/or transceiver circuit；Universal serial bus (USB), parallel port and/or string Mouthful.

As used herein term " computer-readable medium " may include computer storage medium.Computer storage is situated between Matter may include utilizing any side of the information for storing such as computer readable instructions, data structure or program module etc Method or technology come realize volatile and non-volatile, removable and irremovable medium.System storage 1104 is moved and is deposited It stores up equipment 1109 and non-removable storage device 1110 is entirely the example of computer storage medium (that is, memory storage is set It is standby).Computer storage medium may include RAM, ROM, electricallyerasable ROM (EEROM) (EEPROM), flash memory or other memories Technology, CD-ROM, digital multi-purpose optical disc (DVD) or other optical storages, cassette tape, tape, disk storage or other magnetic Storage equipment or any other product that can be used in storing the information to be accessed by calculating equipment 1100.It is any this Computer storage medium can be a part for calculating equipment 1100.Computer storage medium do not include carrier waveform or its Its transmitting signal or the data-signal of modulation.

Communication media can pass through computer readable instructions, data structure, program module or the data-signal of modulation (example Such as, carrier waveform or other transmission mechanisms) in other data embody, including any information delivery media.Term be " modulation Data-signal " can describe that one or more characteristics are set or changed in the way of a kind of, so as to the information in this signal The signal encoded.Such as, but not limited to, communication media may include such as cable network or direct wired connection etc Wired medium, and the wireless medium of such as sound wave, radio frequency (RF), infrared ray and other wireless mediums etc.

Figure 10 A and Figure 10 B show the mobile computing device 1200 that the embodiment of the present invention can be implemented, for example, mobile Phone, smart phone, tablet personal computer, laptop computer etc..Referring to Figure 10 A, the figure shows for realizing this One embodiment of the mobile computing device 1200 of a little embodiments.In basic configuration, mobile computing device 1200 be have it is defeated Enter the handheld computer of unit and output unit.In general, mobile computing device 1200 includes display 1205 and one or more A input key 1210 allows user to input information to mobile computing device 1200.The display of mobile computing device 1200 1205 can also realize the function (for example, touch-screen display) of input equipment.If including, optional side input Unit 1215 allows other user to input.Side input unit 1215 can be rotary switch, key or any other class Type is manually entered unit.In alternate embodiments, mobile computing device 1200 can merge more or less input Unit.For example, in some embodiments, display 1205 can not be touch screen.In another alternate embodiment, mobile meter Calculating equipment 1200 is portable telephone system (e.g., cellular phone).Mobile computing device 1200 can also include optional small key Disk 1235." soft " keyboard that optional keypad 1235 can be physical keyboard or generate on touch-screen display.Each In a embodiment, output unit includes for showing the display 1205 of graphic user interface (GUI), visual detector 1220 (for example, Light-Emitting Diode) and/or audio-frequency transducer 1225 (for example, loudspeaker).In some embodiments, mobile computing device 1200 are associated with vibration transducer, to provide a user touch feedback.In another embodiment, mobile computing device 1200 closes And port is input and/or output, for example, audio input (e.g., microphone jack), audio output (e.g., earphone jack) and video It exports (e.g., the port HDMI), to send signal to external equipment or to receive signal from external equipment.

Figure 10 B is the block diagram for showing the framework of one embodiment of mobile computing device.That is, mobile computing device 1200 can be with combination system 1202 (that is, framework) to realize some embodiments.In one embodiment, system 1202 is implemented as One or more application can be run (for example, browser, Email, calendar, contact manager, information client side, game With media client/player) " smart phone ".In some embodiments, system 1202 is integrated into calculating equipment, such as Integrated personal digital assistant (PDA) and radio telephone.

One or more application program 1266 can be loaded into memory 1262, operate in operating system 1264 or Person is associated with operating system 1264.The example of these application programs includes dialing disc program, e-mail program, individual Information management (PIM) program, word processing program, spreadsheet program, internet browser program, messaging program etc..This Outside, system 1202 further includes the nonvolatile storage 1268 in memory 1262.Nonvolatile storage 1268 can be with For storing the permanent information that will not be lost in 1202 power down of system.Application program 1266 can be used and store non-volatile Information in property storage region 1268, for example, Email that e-mail applications use or other message etc..It synchronizes and answers It is also located in system 1202 with (not shown), is programmed to be handed over the respective synchronization application being located on host computer Mutually, to keep the information stored in nonvolatile storage 1268 synchronous with the corresponding information that host computer is stored.It answers When understanding, the other application including anomaly detector 26 as described herein can be loaded into memory 1262, and It operates on mobile computing device 1200.

System 1202 has power supply 1270, and wherein one or more battery may be implemented into the power supply 1270.Power supply 1270 It can also include external power supply, for example, AC adapter, either branch is docked in the power supply for being supplemented battery or being charged Seat.

In addition, system 1202 can also include radio device 1272, it is logical that the latter's execution sends and receives radio frequency The function of letter.Radio device 1272 facilitates via common carrier or service provider, Lai Shixian system 1202 and " outer Wireless connection between the world, portion ".It carries out under the control of operating system 1264 to and from radio device 1272 Transmission.In other words, the received communication of radio device 1272 can be broadcast to application program via operating system 1264 1266, vice versa.

Visual detector 1220, which may be used to provide visual notification and/or audio interface 1274, can be used for via audio Energy converter 1225 generates audible notice.In the embodiment illustrated, visual detector 1220 is light emitting diode (LED), audio-frequency transducer 1225 is loudspeaker.These equipment may be coupled directly to power supply 1270, so that when activating, they The duration indicated by informing mechanism is still maintained (even if processor 1260 and other components may be closed to save battery electricity Amount).LED can be programmed to be kept for the uncertain time, until user takes action to indicate the booting shape of the equipment State.Audio interface 1274 is for providing a user earcon and receiving earcon from user.For example, in addition to being coupled to audio Except energy converter 1225, audio interface 1274 is also coupled to microphone to receive audible input, such as promoting phone Session.According to an embodiment of the invention, microphone can function as audio sensor, it is such as following to promote the control to notice By description.In addition, system 1202 can also include video interface 1276, the latter starts the operation of onboard camera to record Static image, video flowing etc..

The mobile computing device 1200 of realization system 1202 can have other feature or function.For example, mobile computing Equipment 1200 can also include that the other data storage device of such as disk, CD or tape etc is (removable and/or can not It is mobile).In fig. 1 ob, this other storage equipment is shown by nonvolatile storage 1268.In addition, mobile meter Calculating equipment 1200 can also include peripheral device port 1230.

The data/information for being generated or being captured by mobile computing device 1200 and stored via system 1202, can be local Being stored on mobile computing device 1200 (as described above) or the data can store on any number of storage medium, Wherein the equipment can via radio device 1272 or via mobile computing device 1200 and with the mobile computing device 1200 associated independent calculating equipment (for example, server computer in the distributed computing network of such as internet etc) Between wired connection access these storage mediums.It should be understood that mobile computing device 1200 can be via radio Device 1272 accesses the data/information via distributed computing network.It similarly, can be according to well known data/letter It ceases transimission and storage unit (it includes Email and collaborative data/information shared system), is easy between computing devices Ground transmits the data/information, to be stored and to be used.

Figure 11 shows a kind of embodiment of the framework of exemplary system, as described above.It is developed with anomaly detector 26 Content, the content interacted with anomaly detector 26 or the content edited in association with anomaly detector 26, can be stored in In different communication channels or other storage classes.It is, for example, possible to use directory service 1322, Web portal 1324, mailbox clothes Business 1326, instant message storage 1328 or social network site 1330 store various documents.Anomaly detector 26 can make Realize that data are utilized with any one of system of these types or the like, as described herein.Server 1320 Anomaly detector 26 can be provided to client.It gives one example, server 1320 can be through WWW and provide exception The web server of detector 26.Server 1320 provides anomaly detector to client on the world wide web (www by network 1315 26.For example, client computing device can be implemented as calculating equipment 1100 and is embodied in personal computer, plate calculating In equipment 1310 and/or mobile computing device 1200 (for example, smart phone).Client computing device 1100,1310,1200 Any one of these embodiments can obtain the content from storage 1316.

For example, above with reference to the method, system and computer program product of embodiment according to the present invention block diagram and/or Operability explanation, to describe the embodiment of the present invention.Function action described in these frames can according to any process Order in a different order shown in figure occurs.For example, in fact can be substantially concurrent with two frames shown in conitnuous forms Ground executes or these frames can be executed sometimes with reverse order, depends on related function action.

The description and explanation of one or more embodiments provided in the application, it is not intended that limit in any way Or protection scope of the present invention that constraint such as claim is advocated.Embodiment provided in the application, example and details Be considered being enough to convey the ownership of the invention to being advocated, and enable other people manufacture and use advocated it is of the invention Optimal mode.The present invention advocated should not be construed as limited to any embodiment, example or details provided herein. It is either still individually shown and is described in a joint manner, various features (including structures and methods) are intended to by selectivity Ground includes or omits, to generate the embodiment with one group of special characteristic.After the description of the present application and explanation are provided, this Field those of ordinary skill is it is envisioned that fall into the modification within broader aspects of inventive concept embodied herein, modification And alternate embodiment, without departing from the wider protection scope of the invention advocated.

Claims (10)

1. a kind of method for detecting the abnormal movement in online service, comprising:

Access includes the baseline profile of past event information, and the past event information is related with multiple past events, wherein institute Stating each of multiple past events past event will originate from least one account of the online service；

Calculate the first past event frequency of the first past event, wherein the first past event frequency be relevant to it is described Other past events in multiple past events determine；

Calculate the second past event frequency of the second past event, wherein the second past event frequency be relevant to it is described Other past events in multiple past events determine；

Access includes the newest profile of up-to-date event information, the up-to-date event information and the account for being derived from the online service Up-to-date event it is related；

Calculate the first up-to-date event frequency of the first up-to-date event in the up-to-date event, wherein first up-to-date event Frequency is relevant to other up-to-date events to determine；

Calculate the second up-to-date event frequency of the second up-to-date event in the up-to-date event, wherein second up-to-date event Frequency is relevant to other up-to-date events to determine；

First past event is determined to occur compared to the higher frequency of first up-to-date event；

Second past event is determined to occur compared to the lower frequency of second up-to-date event；And

Generate report, wherein the report includes information about the following contents: first past event is compared to described the The higher frequency of one up-to-date event occurs with second past event to compare the lower frequency hair of second up-to-date event It is raw.

2. according to the method described in claim 1, wherein, the past event information and the up-to-date event information include described The security incident of online service.

3. according to the method described in claim 1, wherein, the newest profile includes: data related with activity from several The up-to-date event information occurred between hour to one day.

4. according to the method described in claim 1, wherein it is determined that first past event is to compare first up-to-date event Higher frequency occurs to include setting weight.

5. according to the method described in claim 1, further include receiving configuration information, the configuration information about: to monitoring And it is configured including the event in the newest profile and the baseline profile.

6. a kind of computer readable storage devices for being stored with computer executable instructions, the computer executable instructions when by The step of processor executes the processor for detecting the abnormal movement in online service, comprising:

Access includes the baseline profile of past event information related with the first type event and second species event, wherein institute State the account that each event in each event and the second species in the first type is derived from the online service；

It calculates between the generation of each event in first type and the generation of each event in the second species Ratio, to form bareline heart rate；

Access includes the newest profile of up-to-date event information related with up-to-date event, and the up-to-date event information is at upper one day Within be derived from the account of the online service, wherein the up-to-date event information includes more than first a events, wherein described Each event more than first in a event is classified as the first type event, wherein the up-to-date event information includes the A event more than two, wherein each event more than described second in a event is classified as the second species event；

It calculates between each event more than described first in a event and the generation of each event in more than second a event Ratio, to form up-to-date event frequency；

The bareline heart rate is compared with the up-to-date event frequency；

Determine that the bareline heart rate is different from the up-to-date event frequency；And

Report the instruction different from the up-to-date event frequency about the bareline heart rate.

7. a kind of system for detecting the abnormal movement in online service, comprising:

Processor and memory；

The operating environment executed using the processor；And

Anomaly detector is configured as executing the movement including the following terms:

Access includes the baseline profile of past event information related with the first type event and second species event, wherein institute State the account that each event in each event and the second species in the first type is derived from the online service；

The first type event is compared with the second species event to form bareline heart rate；

Access includes the newest profile of up-to-date event information, wherein and the up-to-date event information includes more than first a events, wherein Each event more than described first in a event is classified as the first type event, wherein the up-to-date event packet A event more than second is included, wherein each event more than described second in a event is classified as the second species event；

More than described first a events are compared with more than described second a events to form up-to-date event frequency；

The bareline heart rate is compared with the up-to-date event frequency；And

Abnormal activity is reported based on the comparison between the bareline heart rate and the up-to-date event frequency.

8. system according to claim 7, further includes: access system log, regularly with from the account of the online service Family obtains event information, and uses accessed information to update the baseline profile and the newest profile.

9. system according to claim 7, further includes: be included within each of event in the baseline profile with Weight is associated.

10. system according to claim 7, further includes:

It shows graphic user interface GUI, and receives from the GUI and the event is carried out to configure related configuration information.